Manualshelf

Virtual TapeServer 6.04.04 for NonStop Servers Supplemental Installation Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
21222324252627282930
Enabling Instant DR and AutoCopy | 21
Repeat these steps on each remote server. You should get similar results.
Note RSH can be setup for one direction or multiple directions. If multiple directions
are configured, these steps should be executed from the other direction.
9. Check the SSH connection, if you configured SSH.
a. At the command prompt, log in.
b. Become bill:
su - bill
c. At the command prompt, enter ssh user@server uptime. For example, on the Boston
server, enter ssh bill@boston uptime.
The first time you enter an ssh command, a message similar to the following is
displayed:
The authenticity of host 'server_name (IP_addr)' can't be
established.
RSA key fingerprint is
5f:10:3c:47:78:8f:e3:28:9d:ab:6b:34:ed:d1:e4:08.
Are you sure you want to continue connecting (yes/no)?
Enter yes.
d. Repeat these steps on each VTS server.
Note SSH can be setup for one direction or multiple directions. If multiple directions
are configured, these steps should be executed from the other direction.
Configuring TCP/IP security
The need for security while using Instant DR becomes necessary if the communication link
between VTS servers is not completely within your network. If you do not secure the link,
others can gain access to the VTS operating system over TCP/IP from outside the corporate
network. To tighten security, you can configure IP tables to block all TCP/IP traffic going to
eth1 except SSH, RSH, and ICMP (ping and traceroute).
To configure TCP/IP security
1. On the VTS server, create the /etc/sysconfig/iptables file and open it for editing.
2. Insert the following lines:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 514 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth1 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m state --state INVALID -j REJECT